b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Treasury Inspector General for Tax\n                Administration \xe2\x80\x93 Federal Information Security\n                Management Act Report for Fiscal Year 2008\n\n\n\n                                      September 10, 2008\n\n                              Reference Number: 2008-20-173\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                Background\nThe Federal Information Security Management Act (FISMA)1 requires each Federal Government\nagency to report annually to the Office of Management and Budget on the effectiveness of its\nsecurity programs. In addition, the FISMA requires that each agency shall have performed an\nannual independent evaluation of the information security program and practices of that agency.\nIn compliance with the FISMA requirements, the Treasury Inspector General for Tax\nAdministration performs the annual independent evaluation of the information security program\nand practices of the Internal Revenue Service.\nThe Office of Management and Budget provides information security performance measures by\nwhich each agency is evaluated for the FISMA review. The Office of Management and Budget\nuses the information from the agencies and independent evaluations to help assess\nagency-specific and Federal Government-wide security performance, develop its annual security\nreport to Congress, assist in improving and maintaining adequate agency security performance,\nand assist in the development of the E-Government Scorecard under the President\xe2\x80\x99s Management\nAgenda.\nAttached is the Treasury Inspector General for Tax Administration Fiscal Year 2008 FISMA\nreport. The report was forwarded to the Treasury Inspector General for consolidation into a\nreport issued to the Department of the Treasury Chief Information Officer.\n\n\n\n\n1\n    Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                      WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                             September 10, 2008\n\n\n MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDIT\n                OFFICE OF THE TREASURY INSPECTOR GENERAL\n\n FROM:                        Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:                     Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal\n                              Information Security Management Act Report for Fiscal Year 2008\n                              (Audit # 200820024)\n\n We are pleased to submit the Treasury Inspector General for Tax Administration\xe2\x80\x99s Federal\n Information Security Management Act (FISMA)1 report for Fiscal Year 2008. The FISMA\n requires the Office of Inspector General to perform an annual independent evaluation of\n information security policies, procedures, and practices and compliance with FISMA\n requirements. As such, this report presents the results of our independent evaluation of the\n Internal Revenue Service\xe2\x80\x99s (IRS) information technology security program.\n We based our evaluation on the Office of Management and Budget (OMB) FISMA reporting\n guidelines for 2008 and the answers to the questionnaire published with the OMB guidelines\n (see Attachment I). During the 2008 evaluation period,2 we also conducted nine audits to\n evaluate the adequacy of information security in the IRS (see Attachment II). We considered the\n results of those audits when making our assessment. Major contributors to this report are listed\n in Attachment III.\n To complete our review, we evaluated a representative sample of 22 IRS information systems to\n assess the quality of the certification and accreditation process. For these systems, we also\n assessed the annual testing of controls for continuous monitoring, testing of Information\n Technology Contingency Plans, and quality of the Plan of Action and Milestones process. We\n\n\n\n 1\n  Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n 2\n  The FISMA evaluation period for the Department of the Treasury is July 1, 2007, through June 30, 2008.\n Hereafter, all references to 2008 refer to the FISMA evaluation period.\n\x0c                          Treasury Inspector General for Tax Administration \xe2\x80\x93\n                         Federal Information Security Management Act Report\n                                         for Fiscal Year 2008\n\n\nconducted separate tests to evaluate processes for inventory accuracy, configuration\nmanagement, incident reporting, awareness training, and information privacy.\nOverall, the IRS has made steady progress in complying with FISMA requirements since\nenactment of the FISMA in 2002, and it continues to place a high priority on efforts to improve\nits security program. We observed significant improvements in the areas of security that we had\nidentified as needing improvement in our 2007 FISMA evaluation.3 In addition, during 2008, the\nIRS Modernization and Information Technology Services organization Cybersecurity office took\nsteps to achieve efficiencies in the certification and accreditation process. It realigned its general\nsupport system structure by functional rather than physical boundaries, which reduced the\nnumber of general support systems and improved mapping to applications. It also streamlined\nthe certification and accreditation process for low-impact systems to reduce costs and improve\nscheduling capabilities. During 2008, the IRS certified and accredited the last of its systems that\nhad not previously been assessed through a National Institute of Standards and Technology\n(NIST)4-compliant certification and accreditation process. The IRS also continued to work\nclosely in seeking guidance and concurrence on FISMA issues with the Treasury Inspector\nGeneral for Tax Administration and the Department of the Treasury Chief Information Officer to\nimprove compliance with the NIST and FISMA requirements.\nOur evaluation of the IRS\xe2\x80\x99 2008 performance against specific OMB security measures and our\naudit work performed during 2008 show that while the IRS improved its certification and\naccreditation process, more needs to be done to adequately secure its systems and data. The\nmost significant area of concern is implementation of configuration management standards.\nAttachment I provides our responses to the OMB FISMA questions for the Inspector General.\nWe are confident that the IRS systems inventory is substantially complete, the Plan of Action\nand Milestones process is adequate to ensure the remediation of security weaknesses, and\npolicies and procedures are followed for reporting computer security incidents. Provided in this\ndocument are security performance improvements as well as areas that require additional\nattention.\nCertification and Accreditation Process The IRS has made significant progress in its\ncertification and accreditation process. Therefore, this year we evaluate this process as good.\nHowever, the IRS needs to continue to improve the process to ensure that the level of annual\nsecurity controls and contingency plan testing is sufficient.\n\n\n\n\n3\n  Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal Information Security Management Act Report for\nFiscal Year 2007 (Reference Number 2007-20-186, dated September 4, 2007).\n4\n  The NIST, under the Department of Commerce, is responsible for developing standards and guidelines, including\nminimum requirements for providing adequate information security for all Federal Government agency operations\nand assets.\n                                                                                                                  2\n\x0c                           Treasury Inspector General for Tax Administration \xe2\x80\x93\n                          Federal Information Security Management Act Report\n                                          for Fiscal Year 2008\n\n\nThe OMB guidelines for minimum security controls in Federal Government information systems\nrequire that all systems be certified and accredited every 3 years or when major system changes\noccur. The NIST provides guidelines for conducting the certifications and accreditations. In our\n2007 FISMA evaluation, we reported that the IRS had implemented a satisfactory certification\nand accreditation process. This year the IRS completed this implementation, and it has now\nsubjected all systems to the process. We evaluated the quality of the certification and\naccreditation process for all 11 of the systems in our sample of 22 that were certified and\naccredited in 2008. We determined that all 11 systems were properly certified and accredited in\naccordance with NIST guidelines.\nFor the remaining systems in our sample, we reviewed the adequacy of annual testing of security\ncontrols for continuous monitoring. The IRS made significant progress this year in this area. An\nappropriate subset of management, operational, and technical controls was selected, documented,\nand approved for each of the 11 systems we reviewed. However, the testing of operational and\ntechnical controls needs improvement and does not meet NIST and IRS guidelines. Overall,\n28 percent of the controls were not sufficiently tested for the 11 systems from our sample.\nThirty-seven percent of the operational controls were not adequately tested, and 67 percent of the\ntechnical controls were not adequately tested. These tests were limited to examining certification\nand accreditation documentation without securing evidence from the system. As a result, some\ntests were insufficient to identify controls that might not be operating as intended to protect the\nsystems and data.\nWe also examined the IRS\xe2\x80\x99 testing of Information Technology Contingency Plans, which has\nimproved in the past year. This year the IRS implemented a revised testing program and\nimproved its testing guidance. Our review of the 22 systems in our sample determined that\nadequate tabletop5 testing was performed for all systems. In addition, the IRS performed\nfunctional testing for the 10 systems in our sample for which this testing was required. However,\nimprovements are needed to ensure that testing meets Department of the Treasury and IRS\nguidelines:\n    \xe2\x80\xa2   Supporting documentation for 4 of the 10 functional tests did not adequately support\n        testing results for verifying readability of backup tapes retrieved during the tests.\n    \xe2\x80\xa2   The IRS has not developed criteria to assess the timeliness of retrieving backup tapes\n        from offsite locations. In addition, the IRS did not compute the time for retrieving\n        backup tapes in any of the 10 functional tests.\n    \xe2\x80\xa2   The IRS performed only a limited test of timeliness for offsite retrieval of backup tapes,\n        including those from offsite vendors, during other than normal working hours. The IRS\n        conducted this test for only one system and did not document the results. IRS\n\n5\n  Participants in tabletop exercises walk through the contingency plan procedures to ensure that the documentation\nreflects the ability to adequately perform the tasks outlined without any recovery operations actually occurring.\n                                                                                                                     3\n\x0c                           Treasury Inspector General for Tax Administration \xe2\x80\x93\n                          Federal Information Security Management Act Report\n                                          for Fiscal Year 2008\n\n\n        management informed us that this was a cost-based decision due to the limited funding\n        for these tests.\n    \xe2\x80\xa2   Testing plans and results did not include a description of the sampling methodology used\n        for retrieving and validating the readability of backup files. IRS procedures recommend\n        that a sample of files, rather than the entire population, be selected for testing and that the\n        sample be selected at random.\nPlan of Action and Milestones Process The IRS has an agency-wide process for managing\nPlans of Action and Milestones, which generally includes incorporating findings from our audit\nreports. However, our findings reported in 2008 were not included in the IRS Plan of Action and\nMilestones process as they had been in prior years. Based on our discussions with IRS\nmanagement, we determined that responsibilities for this part of the Plan of Action and\nMilestones process were inadequately transferred between employees.\nPrivacy Requirements During the past year, the IRS has continued to take steps to better\nprotect the privacy of taxpayers. We determined that a Privacy Impact Assessment6 was\nprepared according to IRS guidelines for each of the 22 systems in our representative sample.\nThe IRS has also taken steps to implement OMB requirements for safeguarding against and\nresponding to the breach of personally identifiable information (PII). The IRS has developed\nplans to respond to PII breaches and to reduce the use of Social Security Numbers. In 2008, the\nIRS also conducted a program to refresh employee awareness of existing policies and procedures\nabout encrypting, safeguarding, and protecting sensitive information. As a result, we are\nevaluating the IRS\xe2\x80\x99 progress in implementing OMB requirements for safeguarding against and\nresponding to breaches of PII as good.\nHowever, we continue to have concerns about the IRS\xe2\x80\x99 overall ability to adequately protect PII.\nIn particular, weaknesses in access controls, audit trails, and system configuration settings\ndirectly affect the IRS\xe2\x80\x99 ability to protect PII. In 2008, our audits continued to identify\nweaknesses in the IRS\xe2\x80\x99 ability to adequately secure its systems and protect PII. Attachment II\npresents a list of these reports.\nSecurity Configurations The OMB requires agencies to have configuration guides in place to\nensure consistent implementation of software across the agency. The IRS has an agency-wide\nsecurity configuration policy but needs to do more to ensure that information systems apply\ncommon security configurations established by the NIST.\nThe IRS provided test results that demonstrated an overall rate of 71 percent to 80 percent for\nimplementing security configurations. In general, we agreed with the IRS\xe2\x80\x99 compliance\nassessment, with one exception. The IRS used external scanning software to assess compliance\n\n\n6\n This is an analysis of how personal information is collected, stored, shared, and managed in a Federal Government\nsystem.\n                                                                                                                 4\n\x0c                               Treasury Inspector General for Tax Administration \xe2\x80\x93\n                              Federal Information Security Management Act Report\n                                              for Fiscal Year 2008\n\n\nfor one of its most heavily used database products instead of using a scanner that can\nauthenticate to the database and assess internal database configurations.\nDuring our evaluation, we also identified software used by the IRS for which compliance with\nNIST or IRS standard configurations was not reported. The software includes firewalls, systems\nmanagement computers, web servers, handheld device servers, and mainframes. The software\nshould be included in the IRS\xe2\x80\x99 2009 FISMA assessment.\nIn this year\xe2\x80\x99s assessment, the OMB also requires an evaluation of agency progress in\nimplementing the Federal Desktop Core Configuration (FDCC) standard configurations. We are\ncurrently conducting an audit in this area and will further evaluate the IRS\xe2\x80\x99 progress in\nimplementing these configurations. Our evaluation below is based on the IRS\xe2\x80\x99 progress as of\nJune 30, 2008.\nThe IRS has adopted the FDCC standard configurations in its workstation security policies and\ncompliance assessment tools. It has documented 11 deviations from the FDCC and the business\nreasons why the settings cannot be implemented, which have been reported along with other\nnoncompliant settings to the Department of the Treasury. The IRS continues to test FDCC\nstandard configurations and therefore has only partially implemented the FDCC. Based on\nguidance from the OMB that partial implementation is acceptable, and because the IRS followed\nthe Department of the Treasury process for reporting deviations, we determined that the agency\nhas adopted and implemented FDCC standard configurations and has documented deviations.\nThe IRS has also included new Federal Acquisition Regulation7 language in three contracts that\nwe were able to review and has issued guidance on this requirement.\nHowever, we were unable to confirm that the IRS has implemented FDCC standard\nconfigurations on all Windows workstations. The OMB permits implementation to include those\nsettings for which deviations have been documented. The IRS is currently testing settings to\ndetermine whether they can be implemented; it has confirmed compliance with 89 FDCC\nsettings in its test environment. However, the IRS has not yet validated that these settings are\nimplemented on IRS workstations. The IRS compliance assessment tool, recently configured to\nassess compliance with some FDCC settings, is in the initial stages of assessing IRS\nworkstations. Therefore, we cannot validate that FDCC settings are implemented on all IRS\nworkstations.\nElectronic Authentication Risk Assessments Last year we reported that the IRS completed\nelectronic authentication (e-authentication) risk assessments for its systems. While our review\nthis year continued to find that e-authentication risk assessments are completed, we do not have\nconfidence that applications have operationally achieved the required assurance level in\naccordance with NIST Electronic Authentication Guidelines (Special Publication 800-63).\n\n\n7\n    48 C.F.R. ch. 1 (2006).\n                                                                                                   5\n\x0c                        Treasury Inspector General for Tax Administration \xe2\x80\x93\n                       Federal Information Security Management Act Report\n                                       for Fiscal Year 2008\n\n\nWe agree with the IRS\xe2\x80\x99 inventory of e-authentication applications and did not identify any\nadditional applications that should be included. However, the IRS has not consistently validated\nthe operation of e-authentication controls. The OMB requires Federal Government agencies to\nconduct a final validation confirming that systems achieve the required e-authentication\nassurance level. This validation should be performed as part of required security procedures,\nsuch as certification and accreditation or annual testing. We determined that three of the five\ne-authentication applications did not include e-authentication validation tests during certification\nand accreditation. The IRS has acknowledged the need to improve its e-authentication process\nand plans to revise its process for validating e-authentication assurance levels during the\n2009 FISMA reporting period.\nPlease contact me at (202) 622-6510 if you have questions or Margaret E. Begg, Assistant\nInspector General for Audit (Information Systems Programs), at (202) 622-8510.\n\n\n\n\n                                                                                                   6\n\x0c           Treasury Inspector General for Tax Administration \xe2\x80\x93\n          Federal Information Security Management Act Report\n                           for Fiscal Year 2008\n\n\n\n                                                      Attachment I\n\nDetails of the Treasury Inspector General for Tax\n  Administration Federal Information Security\n            Management Act Analysis\n\n\n\n\n                                                                 Page 7\n\x0c Treasury Inspector General for Tax Administration \xe2\x80\x93\nFederal Information Security Management Act Report\n                 for Fiscal Year 2008\n\n\n\n\n                                                       Page 8\n\x0c Treasury Inspector General for Tax Administration \xe2\x80\x93\nFederal Information Security Management Act Report\n                 for Fiscal Year 2008\n\n\n\n\n                                                       Page 9\n\x0c Treasury Inspector General for Tax Administration \xe2\x80\x93\nFederal Information Security Management Act Report\n                 for Fiscal Year 2008\n\n\n\n\n                                                       Page 10\n\x0c Treasury Inspector General for Tax Administration \xe2\x80\x93\nFederal Information Security Management Act Report\n                 for Fiscal Year 2008\n\n\n\n\n                                                       Page 11\n\x0c                      Treasury Inspector General for Tax Administration \xe2\x80\x93\n                     Federal Information Security Management Act Report\n                                      for Fiscal Year 2008\n\n\n\n                                                                           Attachment II\n\n  Treasury Inspector General for Tax Administration\n   Information Technology Security Reports Issued\n          During the 2008 Evaluation Period\n\n1. Effectiveness of Access Controls Over System Administrator User Accounts Can Be\n   Improved (Reference Number 2007-20-161, dated September 19, 2007).\n2. Lack of Proper IRS Oversight of the Department of the Treasury HSPD-12 Initiative\n   Resulted in Misuse of Federal Government Resources (Reference Number 2008-20-030,\n   dated December 14, 2007).\n3. Internal Revenue Service Databases Continue to Be Susceptible to Penetration Attacks\n   (Reference Number 2008-20-029, dated December 14, 2007).\n4. Improvements Are Needed to the Information Security Program Governance Process\n   (Reference Number 2008-20-076, dated March 11, 2008).\n5. Actions Are Needed to Improve the Effectiveness of the Physical Security Program\n   (Reference Number 2008-20-077, dated March 13, 2008).\n6. Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer\n   Information (Reference Number 2008-20-071, dated March 26, 2008).\n7. Private Collection Agencies Adequately Protected Taxpayer Data (Reference\n   Number 2008-20-078, dated March 26, 2008).\n8. Control Weaknesses at Internal Revenue Service Internet Connections Increase Security\n   Risks (Reference Number 2008-20-143, dated July 17, 2008).\n9. Unauthorized and Insecure Internal Web Servers Are Connected to the Internal Revenue\n   Service Network (Reference Number 2008-20-159, dated August 26, 2008).\n\n\n\n\n                                                                                      Page 12\n\x0c                      Treasury Inspector General for Tax Administration \xe2\x80\x93\n                     Federal Information Security Management Act Report\n                                      for Fiscal Year 2008\n\n\n\n                                                                          Attachment III\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nMichael Howard, Audit Manager\nAlan Beber, Senior Auditor\nRichard Borst, Senior Auditor\nCharles Ekunwe, Senior Auditor\nMyron Gulley, Senior Auditor\nJody Kitazono, Senior Auditor\nThomas Nacinovich, Senior Auditor\nMidori Ohno, Senior Auditor\nJoan Raniolo, Senior Auditor\nJefferson Lee, Program Analyst\n\n\n\n\n                                                                                     Page 13\n\x0c'